Support Questions
Find answers, ask questions, and share your expertise

Ranger admin password authentication from openldap

Ranger admin password authentication from openldap


Hello Team,

I have a query for ranger admin account authentication to be done from Openldap server.

-- When i login to ranger UI, it asks for credentials and i put default i.e. admin - admin and its logged me in.


Ranger is integrated with Openldap by updating ldap configs in ranger - config - advanced - common configs, users config and group configs.

Question1: Now if i login back to ranger UI, will it accept Ranger default admin credenatial or it will accept openldap admin credential?


Ranger plugin for any service like hdfs have username/password mentioned which is also by default admin/admin.

After integrating with openldap does the openldap admin password needs to updated in UI of ranger hdfs plugin and under hdfs service - config - ranger-hdfs-plugin properties?

- Vijay Mishra


Re: Ranger admin password authentication from openldap

Question 1:

-- Internal users will work fine even after LDAP integration. 'admin' user is internal user and it should work fine.

-- LDAP users are considered external users from Ranger perspective and Ranger UI should show them as external.

-- LDAP users should use the LDAP password to login to Ranger.

Question 2:

-- No need to update any plugin properties.

-- In kerberos env, plugins use keytabs for downloading policies from ranger. For resource lookup, rangerlookup keytab is used.

Re: Ranger admin password authentication from openldap



Thnkx for thr reply.

Query on question1:

So post ldap integration even ldap have user admin in it, but while login on ranger UI user admin will get authenticated by Ranger DB not by openldap, rt ?

Query on Question2:

a. No kerberos:

All plugins repo have username/password defined which is admin/admin, so post ldap integration plugin repo will get authenticated by Ranger DB or openldap?

b. With kerberos:

Do i need to create separate/single principal/keytab for all plugin repo of Ranger like hdfs,hbase,kafka,yarn,etc?

- Vijay Mishra

Re: Ranger admin password authentication from openldap


Internal users will be authenticated via Ranger password while LDAP users will be authenticated by LDAP password. If you want to designate LDAP user as a "ranger admin" user, you need to change their role within Ranger UI.

With kerberos, Ambari will generate all required keytabs. User name/password defined in repo is used only for lookup (ranger uses this information to talk to the actual service - so no LDAP or ranger authentication here), so it needs to be configured as required.

Hope this helps.